Amidst the scramble to secure remote working laptops, Phil Muncaster asks whether IT teams should focus their efforts more broadly
We all know the story so far. As organizations scrambled to support mass remote working in the early days of the pandemic, they unwittingly expanded the corporate attack surface. Distracted employees susceptible to phishing, insecure consumer-grade PCs, and vulnerabilities and misconfigurations in remote working infrastructure have all been held to blame. Over half (58%) of organizations are said to have suffered security breaches in the first few months of the crisis, despite most of them investing in new tools and updating policies.
Yet this is only part of the story. A report from HP highlights another key fact: that home workers’ printers and smart home devices are also exposing organizations to cyber risk. Ransomware and data theft, and the financial and reputational damage that follow, are top of mind for IT security leaders.
“With employees working remotely, the lines between work and personal equipment are blurred, and everyday actions — such as opening an attachment — can have serious consequences,” warns HP CISO, Joanna Burkey. “Without all of the pre-pandemic sources of visibility of devices, including how they are being used and by whom, IT and security teams are working with clouded vision.”
As the hybrid workplace emerges from the ashes of the pandemic, it’s clear that organizations must address this hidden threat. Doing so may require a new approach to endpoint security.
The Challenge of Ownership Psychology
The HP Wolf Security report, Blurred Lines and Blindspots, takes a detailed look at how the corporate attack surface has evolved during the pandemic. As we discussed in a previous article, much of the cybersecurity risk for enterprises now stems from remote workers’ PCs and laptops. Most (88%) global IT decision makers polled for the report claimed the risk of a breach had risen because staff are using personal devices not built with corporate security in mind, for example.
"Without all of the pre-pandemic sources of visibility of devices, including how they are being used and by whom, IT and security teams are working with clouded vision"Joanna Burkey, CISO, HP
However, many (35%) also expressed concern about their lack of control over how work devices are being used and by whom. A dangerous ownership psychology appears to be emerging, where individuals start to believe their work laptops are indivisible from personal devices and therefore take more risks. IT leaders said they were worried about employees letting others use these devices (85%) and downloading unapproved software (88%). Both sets of risky behaviors are endemic among home workers.
Printer Problems
Yet there’s a bigger picture. Nearly half of these IT chiefs also claimed to have seen evidence of compromised printers being used as an attack point to target the corporate network. It’s an important point. Analyst Quocirca claims 83% of IT decision makers are concerned about home printing security. They’re right to be: in the six months before the report, two-thirds had experienced data losses due to insecure printing practices, rising to 74% in the US. This came in at a cost per breach of $1.7m (£1.2m) in the US.
According to report author, Louella Fernandes, all printers not under the direct control of IT are risky to an extent—although there’s not much to be worried about with a basic USB-connected inkjet.
“Once we get to the majority of modern printers, however, they have Wi-Fi access built in — and this is rarely protected. As such, external actors can use that as a Wi-Fi access point that can be used to gain access not only the print jobs themselves, but as a vector to the rest of the network,” she tells Infosecurity. “Most network-attached devices also contain some form of storage to manage the queuing of print jobs, along with other information. This, if compromised, can provide different types of additional information to the attacker.”
IDC program VP, Kevin Kmetz, agrees, adding that many organizations erroneously assume that protection for remote printers is automatically handled by the enterprise’s endpoint security platform.
“Print is just one of many endpoints on the network, and security breaches can easily occur through any unsecured route to the home network. If that network is accessing company information, the vulnerability extends to that data as well,” he argues. “Print offers several points of vulnerability: the network connection, communication ports (fax on an MFP), device memory, BIOS/firmware, control panel, and mobile access. The printer is really a system with many of the same features as a PC, such as user interface and memory—but it also has the ability to produce content that anyone could pick up or send, and which can be intercepted and used if not encrypted.”
Already, attacks on home printers have gone beyond the theoretical, such as Check Point’s “Faxploit” research. A cybersecurity news outlet created a storm last year when it hijacked 28,000 connected printers after finding them accessible and unsecured via a simple Shodan search.
Why IoT Security Matters
In a similar way, IoT devices comprise a dangerous and growing attack surface for organizations and their home workers. The average American has access to over 10 devices in their household, according to 2020 research. These could include smart TVs and speakers, virtual reality headsets, smart lighting and much more.
"Print is just one of many endpoints on the network, and security breaches can easily occur through any unsecured route to the home network"Kevin Kmetz, VP, IDC
Unfortunately, many of these devices are poorly engineered, which could lead to vulnerabilities and configuration issues for attackers to exploit, according to Gartner VP analyst, Chris Silva.
“In most cases the risk arises from poor security hygiene in the home. If default passwords on these devices can even be changed, users may not know how,” he tells Infosecurity. “Software and firmware updates, in addition to being difficult to administer, in many cases never materialize for lower-end devices, leaving hard-coded and configuration vulnerabilities locked in place.”
A July 2021 investigation by a consumer rights group reveals the scale of the challenge. It recorded over 12,000 malicious attempts to log-in and scan for exposed devices in a single smart home, in just one week.
“These generally connect in a hub and spoke manner across the network, so a single device out on a spoke, if compromised, can be used to gain access to all the spokes — and beyond onto the rest of the network,” explains Quocirca’s Fernandes.
“The problem then becomes that the home network is having to connect at some level to the organization’s network. If this is a full connection, even over a VPN, then a compromised home network provides access through the corporate firewall into the walled garden. That can be nasty, as many organizations are more focused on dealing with external attacks, rather than ones that have managed to infiltrate those defenses.”
Securing the Smart Home
So what can organizations do to mitigate these emerging risks? Their focus should be on “protect, detect and recover,” according to IDC’s Kmetz.
“We also talk about a zero trust model, due to the need to support remote workers, cloud, and bring your own device (BYOD). The priority must be on automating security activities as much as possible, deploying multi-factor authentication, and developing a plan for increased use of BYOD,” he adds. “Also, regularly review data governance policies as part of compliance efforts, but also as an avenue to reduce security violations. Develop a list of approved vendors and products, and reinforce employee behavior with training in best practices.”
For HP’s Global Head of Security, Ian Pratt, the challenge around securing the remote worker has exposed the limitations of traditional endpoint security approaches.
“Sooner or later, an endpoint will be compromised. Clearly, a more architecturally robust process is needed to help secure remote workers,” he argues. “Organizations should apply sound engineering principles to secure critical systems, adopting a zero trust approach applied to the network and the endpoint. This will combine the principles of least privilege, strong identity, mandatory access control, and strong isolation to protect what organizations care about most and prevent attackers from escalating their access.”
To ensure home workers do not have to bear the burden of security, technology should be secure-by-design and support full visibility and management of every software layer inside printers, Pratt adds. That means the ability to remotely upgrade firmware and self-heal in the event devices are tampered with by malware. In the same way, company-approved devices should be instantly configured to corporate security policy as soon as they are connected to the network and automatically remediated if they fall out of compliance.
Ultimately, this is the start of a potentially long journey for organizations as they begin the transition to the new hybrid workplace. Those that grasp the importance of securing smart home printer and IoT devices first will be at a distinct advantage.
The Problem with Printers
- 73% of global organizations expect home printing volumes to increase even as offices reopen
- Only 19% are classed as print security leaders
- Confidence in printer security has fallen from 33% to 21% since COVID began
- Only a third (37%) of ITDMs are satisfied with their printer security
- Nearly half (45%) have seen evidence of compromised printers used as an attack point
Source: Quocirca and HP
From the maker of the world’s most secure PCs* and Printers**, HP Wolf Security is a new breed of endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security*** provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf
*Based on HP’s unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.
**HP’s most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resiliency. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.
***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.
